I lowkey forgot to commit

docs/03-auth-and-users.md

@@ -0,0 +1,19 @@
+# Authentication & Users
+
+## Modal auth
+- Login and registration happen in a Bootstrap modal.
+- AJAX submits keep users on the same page; state updates after reload.
+- Remember-me cookie keeps users logged in across sessions.
+
+## Roles
+- `ROLE_USER`: default for registered users.
+- `ROLE_ADMIN`: promoted via console `app:promote-admin`.
+
+## Password changes
+- On `/dashboard`, users can change email/display name.
+- To set a new password, the current password must be provided.
+
+## Logout
+- `/logout` (link in user menu).
+
+